MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8db0b8f45f726a963b34410c74194e0b40f6720561731e8242ee60a8a7d7e3ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8db0b8f45f726a963b34410c74194e0b40f6720561731e8242ee60a8a7d7e3ce
SHA3-384 hash: 05ab0af9e6c38e8e110e0f392122352802116249345cebce49981b0d83d866e9805ef5a20ccf7ff81c7f2b030611dde0
SHA1 hash: 03de1ac490ba50e38da73dcc8f394df0bf842496
MD5 hash: 342e60aaffa3a55adedd4294ae9a75d0
humanhash: nuts-jig-freddie-echo
File name:Noteswx.msi
Download: download sample
Signature Quakbot
Create hunting rule
File size:1'540'096 bytes
First seen:2024-01-25 18:44:11 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 24576:rfddydmCcUsQ0Bigw3yKNfALfT9Qw4trPoMhlBb7/nSej8AfL2BRqJPim4z5QnK:zddaVcUsQ0UspLbqhlBb7/nSej8Aj2B3
Threatray 14 similar samples on MalwareBazaar
TLSH T11165E101BAD48536E67726342E2051258B7FBD744F3584EDFE48701A8E74E90CFBAB62
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter k3dg3___
Tags:msi qbot Quakbot signed ta577

Code Signing Certificate

Organisation:Ken Friedman AB
Issuer:SSL.com EV Code Signing Intermediate CA RSA R3
Algorithm:sha256WithRSAEncryption
Valid from:2023-12-26T17:58:18Z
Valid to:2024-12-25T17:58:18Z
Serial number: 44e737228040233fcd8ded2bf108ce8c
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: d91b3734b2b549f587181526a2c03d484fdba23afc178adcaac1a2ce8a5e8909
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
208
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/472937/
Verdict:
No Threat
Threat level:
  2.5/10
Confidence:
100%
Tags:
installer
Link:
https://www.filescan.io/uploads/65b2ac328dfc251a25fee9b6/reports/2d8a990f-c265-402e-b310-91aa39c1ab60/overview
Verdict:
Malicious
Labled as:
Malware/Generic
Link:
https://www.hybrid-analysis.com/sample/8db0b8f45f726a963b34410c74194e0b40f6720561731e8242ee60a8a7d7e3ce
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/8db0b8f45f726a963b34410c74194e0b40f6720561731e8242ee60a8a7d7e3ce
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1381309
Signature
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1381309 Sample: Noteswx.msi Startdate: 25/01/2024 Architecture: WINDOWS Score: 48 60 kitronits.com 2->60 7 msiexec.exe 77 38 2->7         started        10 msiexec.exe 4 2->10         started        process3 file4 44 C:\Windows\Installer\MSIA5B6.tmp, PE32 7->44 dropped 46 C:\Windows\Installer\MSI9C5F.tmp, PE32 7->46 dropped 48 C:\Windows\Installer\MSI9901.tmp, PE32 7->48 dropped 12 msiexec.exe 7->12         started        14 msiexec.exe 9 7->14         started        50 C:\Users\user\AppData\...\WixSharp.UI.CA.dll, PE32 10->50 dropped process5 file6 17 rundll32.exe 15 11 12->17         started        22 rundll32.exe 7 12->22         started        24 rundll32.exe 6 12->24         started        52 C:\Users\user\AppData\Local\...\WixSharp.dll, PE32 14->52 dropped 54 C:\Users\user\AppData\...\WixSharp.UI.dll, PE32 14->54 dropped 56 Microsoft.Deployme...indowsInstaller.dll, PE32 14->56 dropped process7 dnsIp8 58 kitronits.com 144.202.77.179, 443, 49702 AS-CHOOPAUS United States 17->58 26 C:\Windows\Installer\...\tiho_exe.cs.dll, PE32 17->26 dropped 28 C:\Windows\Installer\...\WixSharp.dll, PE32 17->28 dropped 30 C:\Windows\Installer\...\WixSharp.UI.dll, PE32 17->30 dropped 32 Microsoft.Deployme...indowsInstaller.dll, PE32 17->32 dropped 62 System process connects to network (likely due to code injection or exploit) 17->62 34 C:\Windows\Installer\...\WixSharp.dll, PE32 22->34 dropped 42 2 other files (none is malicious) 22->42 dropped 36 C:\Windows\Installer\...\WixSharp.dll, PE32 24->36 dropped 38 C:\Windows\Installer\...\WixSharp.UI.dll, PE32 24->38 dropped 40 Microsoft.Deployme...indowsInstaller.dll, PE32 24->40 dropped file9 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8db0b8f45f726a963b34410c74194e0b40f6720561731e8242ee60a8a7d7e3ce/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rwylr5c7ojvjmozuieghigkobnapm4qfmfzr5asc5zqkrj6x4pha._file
Verdict:
unknown
Similar samples:
17fc8690f0f690c80af31d47573df647f81e9f3170aab5102b24aca8a0f9e8f9
Quakbot
2374fd5d049c1b8f1b7fd3115f035e9f154b1f04e1cc276507930811fe349399
Quakbot
6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b
Quakbot
9c88b0caa2767d903e930306443c89e8d9a0f31208c225071855f2d1a693ba01
Quakbot
a4d2138624f8eebbbd665597b1b9e7c3817c374e0e27327cf8acf1b5c57a4b10
Quakbot
d9948bc3d500cfa0af44e63ad404708642bb1471508d88f77720c1e7369ee57c
Quakbot
f119f1e813cdb8dba30bd3348ef97cd8bf5213b3e1a9f25f008337e8b34eaee5
Quakbot
+ 4 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/240125-xd2j9sdhep/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Drops file in Windows directory
Enumerates connected drives
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8db0b8f45f726a963b34410c74194e0b40f6720561731e8242ee60a8a7d7e3ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/472937/

Comments